Family offices must prepare for cyber security threat

A lack of expenditure on IT and cyber security measures leaves many family offices exposed to scams and fraud threats, often powered by fast developing AI technology.

Family offices, which manage substantial wealth for ultra-high net worth investors, are increasingly being targeted by cyber criminals.

“People actually estimate that the whole cyber scam industry worldwide is now more profitable than the global drug trade,” says Hannes Hofmann, global head of family office group at Citi Wealth. “It shows you that it’s a very organised, very well-structured criminal activity that’s happening.”

A 2024 survey from consultancy Deloitte revealed 43 per cent of family offices globally experienced a cyber attack in the past two years, with half of those suffering from three or more separate breaches. Despite these statistics, only 11 per cent of family offices report being “very well protected” against cyber security risks, while 12 per cent acknowledge being “not protected” at all.

When speaking with family offices about their perceived risks, Mr Hofmann says cyber security consistently emerges as the area where they feel the most exposed.

The sophistication of modern cyber crime tactics is becoming more prevalent, and Mr Hofmann notes criminals can now deploy artificial intelligence to mimic voices and faces, making scams more convincing. “Today, if you’re a criminal network, you can buy software that enables me to talk to you, but I can look like your mother and I can sound like your mother,” he explains.

In response to the growing threat, Citi has developed a cyber security framework for family offices, contained in a white paper, analysing challenges and solutions. This includes governance, identification of vulnerabilities, protection, detection, repair and resolution.

“I’ve got calls from some of the biggest family offices after we published the white paper,” notes Mr Hofmann. “They said, ‘You know what? We’ve never seen these kinds of checklists from our own technology groups before.’ The fact that we gave them practical tools — asking, do you have this system, have you thought about that — really helps them work through the operational elements of cyber security with their own people.”

Complacent culture

Despite availability of resources, many family offices remain complacent. “We take it very seriously, and I think you will see a lot more attention from family offices in the next few months,” says Mr Hofmann.

Family offices are often not as well developed technically, believes Joe Boyle, chief executive at Salt, a secure communications app used by several industries. “Their IT spend and their cyber security spend is generally much less than larger, more sophisticated financial institutions — even on a linear basis.” The contrast is stark. These organisations, which oversee billions in assets for ultra-high net worth individuals, may lack even the most basic security infrastructure found in corporate finance.

When it comes to family offices, the challenges go far beyond technology. “They normally have quite well-known personnel at the top… high-value targets,” he says. “From our experience, we would be aware of close protection and different elements we see at a much higher level than in other organisations.”

Personal protection

It’s not just physical security. Family offices, by their nature, are deeply personal institutions. That intimacy, Mr Boyle says, makes them uniquely fragile.

“There’s complex family dynamics and just risks of fallout between personnel, whether it be family members or remote family members or disgruntled personnel,” he says. “There may not be the very clear lines between a lot of different functions within the organisation. This means people who work within the family office tend to know a heck of a lot more about the whole ‘heating base’ than you would if you worked in a large financial institution.”

This blurring of professional and personal boundaries creates major vulnerabilities. It also requires a different approach to managing privacy and trust. “Sometimes it’s actually in your best interest not to know everything,” Mr Boyle says. “By not knowing everything, you yourself will not become a target.”

Mr Boyle underscores the importance of fostering a culture of “awareness without ego”. Friction can be removed if effective and open conversations are in place, stressing the need to protect valuable assets. “But education alone isn’t enough,” he suggests. “The tools and habits families adopt can be the difference between discretion and disaster.

He recalls a cautionary tale: a young member of a client’s family regularly posted running statistics and photos on Strava, a running app. “They were telling everybody basically where they were. It became a major issue,” he says. “From a KRE [Kidnap, Ransom and Extortion] perspective, that is an absolute red flag.”

Most troubling is how asymmetrical the battlefield has become. “To actually physically go and try and kidnap someone… is a high-risk thing to do,” Mr Boyle explains. But with a cyber attack, perpetrators can sit thousands of miles away in a different continent, based in “a jurisdiction that turns a blind eye”.

Despite the existential threat, Mr Boyle sees most family offices reactively investing in security, usually after a breach. “You’re more likely to pay to make it go away after it’s happened, as opposed to invest to make sure it doesn’t happen,” he says.